Cryptology ePrint Archive: Report 2009/050

On the Portability of Generalized Schnorr Proofs

Jan Camenisch and Aggelos Kiayias and Moti Yung

Abstract: The notion of Zero Knowledge Proofs (of knowledge) [ZKP] is central to
cryptography; it provides a set of security properties that proved
indispensable in concrete protocol design. These properties are defined for any given input and also for any auxiliary verifier private state, as they are aimed at any use of the
protocol as a subroutine in a bigger application.
Many times, however, moving the theoretical notion to
practical designs has been quite problematic. This is due to the fact
that the most efficient protocols fail to provide the above ZKP
properties {\em for all} possible inputs and verifier states.
This situation has created various problems to protocol designers who
have often either introduced imperfect protocols with mistakes or with
lack of security arguments, or they have been forced to use much less
efficient protocols in order to achieve the required properties. In
this work we address this issue by introducing the notion of
``protocol portability,'' a property that identifies input and
verifier state distributions under which a protocol becomes a ZKP when
called as a subroutine in a sequential execution of a larger
application. We then concentrate on the very efficient and heavily employed
``Generalized Schnorr Proofs'' (GSP) and identify the portability of
such protocols. We also point to previous protocol weaknesses and
errors that have been made in numerous applications throughout the
years, due to employment of GSP instances while lacking the notion of
portability (primarily in the case of unknown order groups). This
demonstrates that cryptographic application designers who care about
efficiency need to consider our notion carefully.
We provide a compact specification language for GSP protocols that
protocol designers can employ. Our specification language is
consistent with the ad-hoc notation that is currently widely used and it
offers automatic derivation of the proof protocol while dictating
its portability (i.e., the proper initial state and inputs) and
its security guarantees. Thus, our language specifications can be used modularly in
designs and proofs. This assures that the protocol implementation can
indeed be used as a subroutine that is ZKP in its context.
Finally, as a second alternative to designers wishing to use GSPs, we
present a modification of GSP protocols that is unconditionally
portable (i.e., ZKP) and is still quite efficient. Our constructions
are the first such protocols proven secure in the standard model
(while the previously known efficient constructions relied on the
Random Oracle model).